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Abstract 



Decreasing diagrams are a complete characterization of confluence for abstract rewrite systems 
whose convertibility classes are countable. In this paper we present a formalization of decreasing 
diagrams in the theorem prover Isabelle. The main contribution is a formal proof that any locally 
decreasing abstract rewrite system is confluent. 
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Pi Introduction 

o_ 

. Formalizing confluence criteria has a long history in A-calculus. Huet [S] proved a stronger 

variant of the parallel moves lemma in Coq. Isabelle/HOL was used in [T3] to prove the 
Church-Rosscr property of /3, rj, and Prj. For /3-reduction the standard Tait/Martin-L6f 
proof as well as Takahashi's proof [22| were formalized. The first mechanically verified proof 
of the Church-Rosser property of /3-reduction was done using the Boyer-Moore theorem 
prover [21] . The formalization in Twelf [H] was used to formalize the confluence proof of a 
^ , specific higher-order rewrite system in |26j . 

Newman's lemma (for abstract rewrite systems) and Knuth and Bendix' critical pair 
theorem (for first-order rewrite systems) have been proved in |23j using ACL. An alternative 
J> I proof of the latter in PVS, following the higher-order structure of Huet's proof, is presented 

■ in [Zj ■ PVS is also used in the formalization of the lemmas of Newman and Yokouchi in [5] . 
Knuth and Bendix' criterion has also been formalized in Coq [3] and Isabelle (29) . 

Decreasing diagrams [T7] are a complete characterization of confluence for abstract 

■ rewrite systems whose convertibility classes are countable. As a criterion for abstract rewrite 
systems, they can easily be applied for first- and higher-order rewriting, including term 
rewriting and the A-calculus. Furthermore, decreasing diagrams yield constructive proofs 
of confiuence [20; (in the sense that the joining sequences can be computed based on the 
divergence) . We are not aware of a (complete) formalization of decreasing diagrams in any 

■ theorem prover (see remarks in Section ^ . 

^ , In this paper we discuss a formalization of decreasing diagrams in the theorem prover 

Isabelle/HOL. (In the sequel we just call it Isabelle.) We closely follow the original proof [T7]. 
For alternative proofs see [TJ [TTl [TH] or [101 UHl H] where proof orders play an essential role. 
The main contribution of this paper is a mechanical proof of the following theorem in Isabelle. 

► Theorem 1 (van Oostrom |17j). A locally decreasing abstract rewrite system is confluent. 

To achieve this goal we had to identify (and fix some) omissions in [17j and had to give 
formal proofs of all intermediate results. As a consequence all lemmata in this paper have 
been formally proven in Isabelle. Our formalization consists of approximately 1000 lines of 
Isabelle code in the Isar style and contains 22 definitions and 97 lemmata. It is available 
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meaning set multiset sequence/list [17] 
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K, Table 1 Predefined Isabelle operators. 



from http : //cl- inf ormatik . uibk . ac . at/users/hzcaikl/Decreasing_Diagrajns . thy It 

requires Isabelle 2012 and the Archive of Formal Prooff0 from July 30, 2012. 

The remainder of this paper is organized as follows. In the next section we recall some 
preliminaries that are helpful to understand our formalization, which is described in Sec- 
tion [31 In Section [3] we highlight changes to (and omissions in) the proofs from [17 before 
we conclude in Section O 



2 Preliminaries 



We assume familiarity with rewriting [28 and the original proof of decreasing diagrams [17] . 
Basic knowledge of Isabelle 15 is not essential but may be helpful. Our formalization 
imports the theory Multiset. thy from the Isabelle library and Abstract_Rewriting.thy from 
the Archive of Formal Proofs (see [25]V 

In Isabelle an abstract rewrite system (ARS) is a set of pairs of objects of the same type, 
i.e., a binary relation. We introduce labeled ARSs in Section [231 

We will use A (B) for (labeled) ARSs and denote sets by 5, T, U, multisets by M, N, I, 
J, K, Q, single labels by a and and lists of labels by a, r, v, p, and k (possibly primed). 

Table [T] gives an overview of several predefined operators in Isabelle for sets, multisets, 
and lists where we also incorporated the notation from '17j in the rightmost column. In 
addition we need the difference (intersection) of a multiset with a set. Here M S 
(M Os S) removes (keeps) all occurrences of elements in M that are in S. In the paper will 
use the Isabelle notation, but drop the @ for concatenating sequences. 

Then we can easily establish the following relationships: 

► Lemma 2 (parts of [T71 Lemma A. 3]). 

1. (M + N) -s S = {M -s S) + {N -s S) 

2. (M -s S) -sT^ M -s {S U T) 

3. M = {M ns S) + (M -s S) 

4. (M -s T)nsS^ {M ns S) ~s T 

Proof. By definition of multiset and the operators. 

Sometimes it will be necessary to convert e.g. a multiset to a set. In Isabelle we will 
use the functions set/set_of, and multiset_of, which convert a list/multiset into a set, and a 
list into a multiset, respectively. In the paper we leave these conversions implicit, since no 
confusion can arise. 



^ |http: //afp. sourceforge .net/download. shtml 
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|3 Formalization of Decreasing Diagrams 

We assume familiarity with the original proof of decreasing diagrams in [17j , upon which our 
formalization is based. Nevertheless we will recall the important definitions and lemmata. 
However, we only give proofs if our proof deviates from the original argument. In addition 
we state (sometimes small) key results, since an effective collection of lemmata is crucial for 
completely formal proofs. 

The remainder of this section is organized as follows: Section [3 . II describes our results on 
multisets. Section [5?^ is dedicated to decreasingness (of labels) and Section is concerned 
with an alternative formulation of local decreasingness. Afterwards, Section 13.41 lifts de- 
creasingness (from labels) to diagrams. Well-foundedness of the measure on peaks is proved 
in Section 13.51 which is needed for the main result in Section 13.61 As an application of 
decreasing diagrams we have formally proved Newman's Lemma [13] in Section [3.71 



3.1 Multisets 

In the sequel we assume -< to be transitive and irreflexive. 
► Definition 3 ([iTl Definition 2.5]). 

1. The set Ya is the strict order ideal generated by (or down-set of) a, defined by Ya = 
{/3 I /3 ^ a}. This is extended to sets YS = [JxeS^^- define YM and Ya to be the 
down-set generated by the set of elements in M and a, respectively. 

2. The (standard) multiset extension (denoted by ^mui) of ~< is defined by 

M -<niui N if3 I J K. M = I + K, N = I + J, K C YJ, and J ^ {#} 
d by : 

nulO 



The relation =<;mui is obtained by removing the last condition (J ^ {#}). Note that ^mui 
is the reflexive closure of 



This definition can easily be mimicked in Isabelle (here ds/dm/dl defines the down-set 
for a set/multisct/list)ll 

definition ds :: "'a rel => 'a set => 'a set" 
where "ds r S = {y . 3x G S. (y,x) G r}" 

definition dm :: "'a rel => 'a multiset ^ 'a set" 
where "dm r M = ds r (set_of M) " 

definition dl :: "'a rel => 'a list => 'a set" 
where "dl r cr = ds r (set a)" 

definition mul :: "'a rel => 'a multiset rel" where 

"mul r = -[(M,N) .3IJK. M=I+KAN = I + JA set_of KCdmrJAJT^ {#>}" 

definition mul_eq :: "'a rel 'a multiset rel" where 

"mul_eq r = {(M,N).3l JK. M=I + KAN=I + JA set_of K C dm r J>" 

We establish the following easy result on the down-set, which is not mentioned in [T7] 
but turned out to be handy for our formalization: 



^ See Lemma 131] in Section [J] 

^ For readability of subsequent definitions we denote ^ by r within code listings. 
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► Lemma 4. r{rS) C rS 

Proof. Assume x E Y{YS). Then there must be a y G YS with x < y. From y 6 YS we get 
a z G with y < z. Then x ~< z hy transitivity and hence x G YS. < 

The multiset extension inherits some properties of the base relation, which we will im- 
plicitly use in the sequel. 

► Lemma 5. Let ^ be a transitive and well-founded relation. Then -<mui is transitive and 
well-founded, and =4mui is reflexive and transitive. 

Proof. All these properties follow from Lemma (Section in combination with existing 
results in Multiset. thy. M 

We can now establish the following properties. 

► Lemma 6 (IJJ, Lemma 2.6]). 

1. Y{S U T) = YS* U YT and Y(o-t) = Yct U Yt and Y{M -s S) D YM -s YS 

2. M <N ^ M =4mui N ^ YM C YiV 

3. M ^^^1 N ^31 J K.N = / + J A A/ = / + X A J #n X = # A X C YJ 

4. {#} A M CYN^M N 

5. M ^rriui N M -s YS ^mui N -s YS 

6. M ^mul N ^Q + M ^mul Q + N 

7. QCYN- YM A M 4mui N Q + M 4mui N 

8. S CT ^ M -sT ^rriul M -s S 

9. M ^,r,ui N^Q + M Q + N 
Proof. 

3. Assume M = I+K, N = I+J, andi^ C YJ. Take J' = I+{J4r\K), K' = K-{J#nK), 
and J' = J — ( J K). Obviously K' and J' are disjoint. The result follows from: 

K CYJ ^ K' <Z YJ' 

To show the result we fix a fc G# K — {J f/=r\ K). Obviously k G# K and we show that 
for any K' we have K' < K ^ k E Y( J — K') by induction (on K') on finite multisets. 
Hence k G Y(J — K) and we conclude by the observation that J — K = J — ( J K). 

5. Follows from |17J Lemma 2.6(5)] using Lemma [H 

6. Immediate from [T71 Lemma 2.6(6)]. 

8. From the hypothesis we get M —s T ^ M ~s S which yields the result from item (2). 

9. By definition of ^mui- 

The other items are proved as in |17j . -4 

Note that statements (5) and (6) slightly differ from 17, Lemma 2.6] (5,6), but are easier 
to apply. However, the statements of (8) and (9) are not mentioned in [17^ . which we required 
to replay [T71 Lemmata 3.5 and 3.6]. 
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(a) Decreasing diagram. 
Figure 1 Diagrams. 



(b) Locally decreasing diagram. 



3.2 Decreasingness 

We define the lexicographic maximum measure, which maps lists to multisets, inductively. 

► Definition 7 ([HI Definition 3.2]). 

- I[]l = {#} 

- \aa\ = {#a#} + {\<j\-sYa) 

Since the lexicographic maximum measure depends on the base order -< on labels, in 
Isabelle this definition amounts to: 



fun lexmax 


:: '"a rel => 'a list 'a multiset" ("(_ 


_|)") where 


"rl [] 1 = 


{#}" 




1 "r\a#a\ 


= {#a#> + (ricrl -s ds r {a» " 





The next lemma establishes properties of the lexicographic maximum measure. 

► Lemma 8 {fTT, Lemma 3.2]). 

1. r\a\ = Tcr 

2. r\aT\ = \(t\ + (|t| -s Tct) 
Proof. 

1. By induction on a. The base case is trivial. Using Lemma IHIl) the inductive step 
amounts to YaUYdcrl — s Ya) = YaUYcr The inclusion from left to right follows from the 
induction hypothesis. For the inclusion from right to left we proceed by case analysis. 
If x e Ya then the result immediately follows. If a; ^ Ya then clearly x E Ya and from 
the induction hypothesis x £ Y|(t|. Furthermore x ^ Ya using Lemma H] also yields 
X ^ Y(Yq;). Hence x G Y\a\ —s Y{Ya) and from LemmajSI^l) we obtain x S Y{\(t\ —s Ya), 
from which the result follows. 

2. By induction on cr, see [T7]. ■< 

Decreasingness is defined on quadruples (of labels). 

► Definition 9 ([TT, Definition 3.3] for labels). The quadruple of labels (r, cr, cr', r') is de- 
creasing (D) if |ctt'| =^mui l^l + |cr| and |Tcr'| =<;mui 1^1 + |cr|. For a visualization see Figure [Taj^ 

We write D into a diagram to indicate that its labels are decreasing. 
This definition has a one-to-one correspondence in Isabelle: 



* Although the results in Sections l3.2l and l3.3l are on labels only, for visualization we already use diagrams, 
although labeled rewriting will only be introduced in Section [3.41 
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definition decreasing a rel 




'a list 


'a list ^ 


'a 


list => 'a 


list => bool" 


where "decreasing r t a a' t' 




((r IcrOr' 


1 , rlrl + ricrl 


) 


G mult_eq 


r 




A 


(r 1 rOo"' 


1 , rlrl + ricrl 


) 


G mult_eq 


r)" 



Decreasingness can also be stated differently. 

► Lemma 10 ([17, Definition 3.3]). The statements 

1. Icrr'l ^mui \t\ + \a\ and \Ta'\ 4rnui \t\ + \<j\ and 

2. \t'\ ~s Yo- ^rnui \t\ and \a'\ -s Yr ^mui \t\ 
are equivalent. 

Proof. By Lemma |Sl^2) and Lemma [^16). M 

We have followed the (involved) proofs in [T7j that pasting preserves decreasingness 
fLemma [TT|) and that pasting is hypothesis decreasing (Lemma [T^ without big changes. 

► Lemma 11 ([17, Lemma 3.5] for labels). 



D 



D 



D 



Proof. As in [T7] except that we show =^mui instead of C for the step 

{\v'\ -s Tar') -s Yr =:<;mui (l^'l -s Ycr') -s Yr 
where we needed Lemma [SJ8) (in the last sequence in [TTl Proof of Lemma 3.5]). 

► Lemma 12 ([T71 Lemma 3.6] for labels). If t is non-empty and we have 




then \a'\ + \v\ ^^ui W\ + \tv\. 

Proof. As in [T7] using Lemma (5^9) in the second step. 



3.3 Local Decreasingness 

Labels in Figure [Ta| are locally decreasing (LD) if they are decreasing and both a and r 
consist of exactly one label (see Figure [Tb]) . Local decreasingness can also be formulated 
differently: 

► Lemma 13 ( [17, Proposition 3.4]). The form of locally decreasing labels is specified in 
Figure \2ai 
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LD 



Y/9 



Yap 



0-3 



Tl T2 T3 

(a) Alternative formulation of local decreasingness. (b) Giving names to the joining sequences. 
H Figure 2 Local diagrams. 



To show the lemma we give names to the joining sequences as in Figure I2bl Then the 
condition of Figure can be expressed as0 

LD' := CTi C Y/3 A length ^2 < 1 A (72 ^ {«} A 0-3 C Ya/3 A 
Tl C Ta A length r2 < 1 A r2 C {/?} A ra C TaP 

Local decreasingness of the labels in the diagram of Figure [^a] (using Lemma [TU|) amounts 
to the condition 

LD := Icr'l -s yp |a| A |r'| -s Ya =^^ui |/3| 

Hence Lemma [T51 states that LD' <^ LD. This means that 

(i) if a local diagram satisfies the conditions in Figure i.e. LD', then it is decreasing and 

(ii) local decreasingness implies that the joining sequences r' and a' in Figure llbl can be 
decomposed into T1T2T3 and aia2U3 such that the properties of the local diagram in 
Figure [2al i.e. LD', are satisfied. 

Lemma [T2] will be the key result for (i) , but first we establish a useful lemma. 

► Lemma 14. \cr\ < a 

Proof. By induction on u. The base case is trivial. The step case amounts to 
\acr\ = \<t\ —sYa < a —sYa < aa 

using Definition [7] in the first step and the induction hypothesis in the second step. 

In the sequel we will view |(t| and a as sets and use \a\ C a. 
Now we can prove the following key result. 

► Lemma 15. cri C Y/J A length CT2 < 1 A 0-2 C {a} A 0-3 C Ya/3 ^ |criCT2CT3| ~s Yf3 4rnui \a\ 
Proof. We show (★): 

(Icril -sYP) + (dasl -sYai) -s Y/3) + (((|cr3| -sYda) -sYai) -s Y/3) ==;;,^ui {#«#} 



^ Here length computes the length of a list. 
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which is equivalent to the conclusion by Lemmata[Sf2),[5Jl) and Definition[71 The hypothesis 
contains fii C Y/3, which together with Lemma [HI yields |cri| C Y/3 and hence 

|ai|-sY/3 = {#} (1) 

Similarly from (73 C Ya/3 we get jcral —s {Ya U Y/3) = {#} and hence 

Wsl-s (Yaa U Ycri U Ya U Y;3) = {#} (3) 

Using length 0-2 < 1 A (T2 C {a} from the hypothesis we have two cases to consider for CT2- 
H If (72 = [] then 

(|c72| -sYai) -sY/? = {#} (2) 

and from (3) we have 

(ddal -s Ycra) -s Yen) ~s Y/3 ^^^i {#«#} (3') 

using Lemma [2]^2). Then (★) follows immediately from (1), (2), and (3'). 
H If (72 = [ct] then we get (2') 

(|cr2| -s Ycti) -s Y/3 = |cr2| s (Ycti U Y/3) Lemma[li;2) 
= -s (Ycti U y/3) 0-2 = [a] with Definition [7] 

^mui Lemma El^S) 

and (because Yo'2 — Ya), similar as in the other case from (3) we get 

((|fT3|-sYa2)-sY(7i)~sY/3 = {#} (3") 

From (1), (2'), and (3") we conclude (7k-). -4 

Next we prepare for the key lemma to establish (ii), i.e., Lemma |17l after establishing 
useful intermediate results. Note that Lemma [TCT 2) can be seen as an inverse of Lemma [HI 

► Lemma 16. 

1. a e^j^ \a\ => Baia^.a = aiaa^ A a ^# Y(Ti 

2. |cr| C YS* ^ cr C YS* 

3. S CYT =>YS CYT 

Proof. 

1. By induction on (7. The base case is trivial. In the step case we can assume that Q!G#|/3(7|. 
We proceed by case analysis. 

m If a = /3 then we are done with cti = [] and a-^ = a. 

m In the other case we have a G# |cr| and a ^^Y/3 from Definition [71 The induction 
hypothesis yields a'l and a'^ with a = a[aa'^ such that a ^ Ycr^. Because a ^# Y/3 we 
can conclude with ai — Pa'i and (73 = a'^ using Lemma [5^1). 

2. Assume a e cr. If a £# \a\ then we are done by the hypothesis. In the other case there 
must be a /? e \a\ (easy induction on a) with a < [5. From the hypothesis we get that 
/3 e YS and by transitivity also a € YS", which finishes the proof. 

3. We assume s e YS*. If s G S* then the hypothesis finishes the proof. In the other case 
there is a y G 5 with x ~< y. The hypothesis yields y G YT. From this we obtain a, z € T 
with y ^ z. By transitivity of -< we get x < z, which shows the result. -4 
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With these additional lemmata we can now prove the following key result. 

► Lemma 17. |(t'| -s Y/3 4rnui {#oi#} ^ 3(Ti(T2cr3.o-' = cri(T20'3 A tri C Y/3 A length fT2 < 1 A 

a'2 C {a} A (T3 C Ya/S 

Proof. To show the result we perform a case analysis. 

H If a e# |cr'| — s Y/3 then Lemma llGf l) yields ai and with cr' = aiaua and a ^ Ycti. 
Hence from the hypothesis and Lemma [Hl2) we get 

(|fTi I -s Y/3) + {#«#} + (((1^73 1 Ya) -s Yai) -s Y/3) =<;^,| {#«#} 
and since a ^ Ycti and a ^ Y/3 it follows that 

|(Ti| -sY/3 = {#} and ((|a3| -sYa) -sYai) -s Y/3 = {#} 
Now, Lemma [21^2) yields 

\c7i\ C Y/3 and jcrsl C Ya U Ycti UY/3 
and from Lemma [TBr 2) we get 

CTi C Y/3 and 0-3 C Ya U Ycti U Y/3 

The latter simplifies to (73 C Yq;/3 using Yci C Y/3 (from Lemma ITST S')') and LemmalH^l). 
Hence in this case the result follows with a2 = [a] . 
. If -sY/3 

=> |(t'| — s Y/J C Ya hypothesis 
^|cr'|CYa/3 LemmaEi;!) 
^ cr' C Yq;/3 Lemma [M 2) 

In the second case the result follows with empty cti and a2 and a' = a^. -4 
Now Lemma m follows from Lemma [T51 fLD' => LD) and Lemma [T71 ^ iZ?'). 

3.4 Labeled Rewriting 

So far all proofs have been on sequences of labels. However for the main result (Section l3.6p 
we need labeled rewriting. Hence this section sketches how we formalized labeled (abstract) 
rewriting before lifting the results from Section [3.21 from labels to labeled rewriting. 

In the sequel objects will have type ' a and labels will have type 'b. Recall that a labeled 
rewrite step carries the label between its two objects and is hence of type 'ax 'bx 'a. A 
labeled ARS is a set of labeled rewrite steps. 

type_synonym ('a,'b) lars = "('ax'bx'a) set" 

Next we define (labeled rewrite) sequences, i.e., for each object a there is the empty 

sequence a ^ a and if a 5 is a labeled rewrite step and & A- c is a sequence then a ^ c is 
a sequence. 



Note that Abstract_Rewriting.thy does not contain any support for labeled abstract rewrite systems. 
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type_synonym ('a,'b) 


seq = 


ax (' 


bx'a) list)" 


inductive_set seq : : 


"('a, 'b) 


lars 


=> Ca.'b) seq set" for B where 


"(a, []) e seq B" 








1 "(a,a,b) € B =^ 


(b,ss) G 


seq 


B =^ (a,(a,b) # ss) G seq B" 



► Example 18. Let B be the labeled ARS with the labeled relation {(a, a, b), {b, /?, c)}. Then 
a -% b A' c (or a c) is a sequence in B, represented as (a, [(a,b) , (/3,c)] ) in Isabelle. 
Empty sequences consist of at least an object, i.e., the empty sequence starting from a is 
(a,[]). 

We introduce a function 1st, which returns the last element of a rewrite sequence. 

definition 1st :: "('a,'b) seq =J> 'a" 
where "1st ss = (if snd ss = [] then fst ss else snd (last (snd ss)))" 

We prove useful properties for rewrite sequences, i.e., that chopping off a segment of a 
sequence again yields a sequence and that two sequences can be concatenated (provided the 
last element of the first sequence coincides with the first element of the second sequence). 

► Lemma 19. Let ai ■ ■ ■ an and bi ^ ■ ■ ■ ^"^^ l,^ sequences. 

1. irien ai -> • • • ai ana ai ~f ■ ■ ■ a„ are sequences jor any 1 ^ t ^ n. 

2. If an = bi then ai — ^ • • • an = bi ^ ■ ■ ■ ^'^^ g sequence. 

Proof. By induction on ai — ^ • ■ • a„. A 

As a next step we introduce diagrams. 

► Definition 20. A diagram is a quadruple of sequences (^, A, ^) such that the start 
and endpoints of the sequences satisfy the picture in Figure lTal A diagram is called decreasing 
if its labels are. 



From now on we use r, cr, etc. also to denote (labeled rewrite) sequences in Isabelle. The 
type information clarifies if labels or rewrite sequences are meant. 



definition diagram : : 








"('a,'b) lars ^ Ca.'b) 


seq X ( ' a, 'b) 


seq X ('a, 


'b) seq X Ca.'b) seq => bool" 


where "diagram B d = (let 


(t ,cr ,t') = 


d in {(T,r, 


,(t' ,r'} C seq B A 


fst a = fst r A 1st a = 


fst t' a 1st 


r = fst a' 


A 1st a' = 1st r')" 



Next we introduce a function labels, which extracts the labels of a sequence, e.g., 
labels(a -^' 6 A c) = [q;,/3]. With the help of this function we can define a predicate DD, 
which holds if a quadruple of sequences forms a decreasing diagram. 



definition labels : : 

"('a,'b) seq ('a,'b) seq x Ca.'b) seq X Ca.'b) seq x Ca.'b) seq' b =J> list" 
where "labels ss = map fst (snd ss)" 

definition DD :: "('a,'b) lars => 'b rel => ^ bool" 
where "DD B r d = (let (t ,a ,a' ,t') = d in 
diagram B d A decreasing r (labels r) (labels cr) (labels cr') (labels r'))" 

We lift Lemma [TTI from labels to diagrams. 
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► Lemma 21 ( [171 Lemma 3.5] for decreasing diagrams). Pasting two decreasing diagrams 
yields a decreasing diagram. For a picture see Lemma lTTl 

Proof. With the help of Lemma [TW2) we show that pasting two diagrams again yields a 
diagram. That pasting preserves decreasingness follows from Lemma [TT] M 

3.5 Well-Foundedness 

To prove the main result we introduce a measure on peaks (more precisely the measure is 
on pairs of sequences). 

► Definition 22. Let |(A, A)| := |t| + \a\. Then we can lift ^ as a relation on labels to a 
relation on pairs of sequences, i.e., pi ^peak P2 if \pi \ ^mui \P2\- 

definition measure :: "'b rel ('a,'b) seq x ('a,'b) seq => 'b multiset" 
where "measure r p = rllabels (fst p) I + r I labels (snd p) I " 

definition pex :: '"b rel => ('a,'b) seq x ('a,'b) seq" 
where "pex r = -[(pl,p2). (measure r pi, measure r p2) G mul r]-" 

For proofs of induction we establish that ^peak is well-founded. 

► Lemma 23. Let -< be well-founded. Then <peak is well-founded. 

Proof. From [J] we get that -<mu\ is well-founded (this proof is contained in Multiset. thy). 
We proceed by contraposition. Assume the measure on peaks is not well-founded. Then we 
obtain an infinite sequence 

• ■ ■ ^peak (^2, Cr2) -(peak (n, fi) 

which entails an infinite sequence on multisets 

• • • ^mul \t2 \ + |cr2| ^mul |ti| + |cri| 

showing the result. < 

3.6 Main Result 

► Definition 24. A peak is a pair of labeled rewrite sequences which originate from the same 
object. A local peak is a peak where the labeled rewrite sequences consist of a single step. 

definition peak :: "('a,'b) lars => ('a,'b) seq X ('a,'b) seq => bool" 
where "peak lars p = (let (r,o") = p in {r,o"} C seq lars A fst r = fst cr) " 

definition local_peak :: "('a,'b) lars ('a,'b) seq x ('a,'b) seq bool" 
where "local_peak lars p = (let (r.o") = p in 
peak lars p A length (snd r) = 1 A length (snd a) = 1)" 

► Definition 25. A peak (^>,^>) in a labeled ARS B is decreasing if it can be completed 

into a decreasing diagram, i.e., there are ^ and ^ such that the conditions of Figure [Tal are 
satisfied. A peak is locally decreasing, if it is decreasing and a local peak. 
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(a) Local decreasingness implies decreasingness. 
k Figure 3 Lemma [251 



DIHi 



(b) Pasting D and IHi into DIHi. 



We establish that if all local peaks of a labeled ARS B are decreasing then all peaks 
of B are decreasing, following the structure of the proof of [T71 Theorem 3.7]. (Changes are 
discussed in Section H]). Note that only here we need that -< is well-founded, from which 
irreflexivity immediately follows (to satisfy our global assumption from Section [2]). 



► Lemma 26 (similar to [17l Theorem 3.7]). Let B he a labeled ARS and -< he a transitive 
and well-founded order on the labels. If all local peaks of B are decreasing, then all peaks 
of B are decreasing. 



Proof. To show that all peaks are decreasing we fix a peak (^, A) and show that this peak 
can be completed into a decreasing diagram. The proof is by well-founded induction on 
-(peak and there only is the step case. The only interesting situation is when neither t nor a 
are empty, i.e., (using Lemma [IW l) we obtain) A = A • A and A = A • A (see Figure I5al) . 
Hence (A, A) is a local peak and from the assumption we obtain a decreasing diagram with 
joining sequences A and A. We obtain that (A, A) is a peak and want to show that the 
measure of this peak is smaller than that of (A, A) (to apply the induction hypothesis). 
Since /3 is not empty with Lemma [T^ we establish that |(A, A)| is smaller than |(A, A)| and 
from |a| ^mui |ctLj we obtain the desired result. Now, the induction hypothesis yields that 

IHl is a decreasing diagram. Concatenating (using Lemma [TW 2')') A and A into a sequence 

A, using Lemma we can paste the diagrams D and IHi into a decreasing diagram (DIHi, 
see Figure [3b|. 

The peak (A, A) is smaller than the peak (A, A) by a mirrored version of Lemma fT^ and 
hence the induction hypothesis yields the decreasing diagram IH2 . Finally, a mirrored version 
of Lemma [5T] pastes DIHi and IH2 into a decreasing diagram, concluding the proof. < 

We define local decreasingness for ARSs. 



► Definition 27 ([17, Definition 3.8]). An ARS A is locally decreasing if there exists a 
transitive and well-founded relation -< on the labels such that all local peaks are decreasing 
for (a labeled version of) A. 



^ This step is missing in | 17 |. 
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The corresponding definition in Isabelle shows that the labeled version of A can be chosen 
freely since we only demand the existence of a labeled version of A satisfying decreasingness 
of all local peaks. 

definition unlabel :: "('a,'b) lars => 'a rel" 
where "unlabel B = {(a,c). 3b. (a,b,c) £ B}" 

definition LD :: '"b ^ 'a rel ^ bool" 
where "LD L ^ = (3 r B. (A = unlabel S) A trans r A wf r A 
(Vp. (local_peak Bp — > (3 a' r' . (DD i3 r (fst p.snd p,CT ' ,r ')))))) " 

Finally we arrive at the main result for soundness: 

► Corollary 28 ( [171 Corollary 3.9]). A locally decreasing ARS is confluent. 

Proof. From local decreasingness we get a transitive and well-founded relation -< such that 
all local peaks are decreasing in a labeled version of the ARS. Lemma yields that all peaks 
are decreasing. The result follows by dropping labels from the labeled rewrite sequences. -4 

3.7 Applications 

To show the applicability of our formalization we have formally proven Newman's Lemma: 

► Lemma 29. A locally confluent and terminating ARS is confluent. 

Proof. We follow the proof in [TV]. As labeled ARS we take A' = {(a, a, b) \ (a, b) e A} and 
as relation on the labels we use -< = ^. From termination of — > we get well-foundedness 
and transitivity of ^. 

Next we establish that a — > oi — ^ 02 — > • • • implies Oi ^ a for any i ^ 1 by induction on 
the labeled rewrite sequence (using transitivity of ^). 

Hence from Lemma [T3] and the local confluence assumption we get decreasingness of all 
local peaks. The result follows from Lemma E51 and Corollary [2S1 < 

[4 Meanderings 

In this section we discuss differences between our formalization and (proofs from) [17] . 

Within Isabelle an ARS is just a binary relation while in [TT the ARS also contains the 
domain of the relation. A similar statement holds for labeled ARSs. 

General multisets are used in [17j . which can represent sets and finite multisets in one 
go wheres our formalization clearly separates the two concepts. This allows to reuse exist- 
ing machinery from the Isabelle theories Set. thy and Multiset. thy. The separation of both 
concepts did not blow up our formalization, only for the definition of the down-set and for 
Lemma mjl) we needed such duplicates. 

However, [T7] uses a different definition of the multiset extension than Multiset. thy where 
the multiset extension is defined as the transitive closure of the "one-step" multiset extension. 

► Definition 30 (Multiset. thy). The one-step multiset extension (denoted by ^muiti) of ^ is 
defined by 

M ^n^iti N ii3al K. M = I + K, N = I + {#a#}, VbeK. b a 
and the multiset extension of ^ (denoted by -<muit) is the transitive closure of ^muiti- 
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Based on the results in Multiset. thy and Definition [31 1) we have proven these two defini- 
tions equivalent for any transitive base relation. 

► Lemma 31. If ^ is transitive then <rnuit o.nd <rnui coincide. < 

Moreover we proved the claim in Definition [31 

► Lemma 32. We have that ^mui is the reflexive closure of ~<mui- 

Proof. First we show the inclusion from left to right. Let {M,N) G^^Jmui- If J = {#} then 
M = N and the result follows. In the other case (M, TV) e-(mui and we are done. 

For the reverse inclusion let (M, N) be in the reflexive closure of -(mui- If M = TV then 
we finish with / = M, K = J — {#}. In the other case we get suitable /, J, and K from 
the definition of <mu\- 

Our formalization is first performed for sequences (of labels) and then lifted to labeled 
rewrite sequences, a step which is left implicit in [T7] . 

Next we want to stress that our proofs of Lemmata [H^S) and Lemma [Sl[l) differ from 
the informal ones in \n\ . Since Lemma [T3| is stated as a proposition in [THj , the informal 
argument given there could not be replayed directly in Isabelle. Hence we also contributed 
a formal proof of this result, requiring auxiliary results fLemmata 1141 and 1161) . 

Concerning missing proofs (or proof steps), we mention Lemma [5^8,9), which we needed 
to replay the proofs of Lemmata [TT] and [I^l 

There are some (tiny) differences between [T71 Main Theorem 3.7] and Lemma [2^1 [T7] 
claims to use a measure on diagrams. However, since the closing/joining steps of the diagram 
are just obtained by the induction hypothesis a measure on peaks seems more suitable. 
Moreover, since in either case the measure is a multiset it is hard to relate arbitrary multisets 
to a peak. Hence we lifted the order on labels -< to peaks ^peak (Section [X^) and used well- 
founded induction on this order. In the formalization of Lemma [25] (Footnote [7]) we located 
a missing step, which is essential to apply the induction hypothesis. Another aspect where 
our formalization deviates from [17 is that the original work uses families of labeled ARSs 
whereas our formalization considers a single labeled ARS only. Hence 1171 Theorem 3.7] 
states the main result on families of ARSs whereas our Lemma [551 makes a statement about 
a single ARS. 

All in all we regard the gaps that we spotted to mainly be gaps for a theorem prover, 
while a human would easily swallow them. Furthermore we want to stress that the precision 
(while compactness) of the proofs given in [17j clearly helped us in the task of formalizing 
its main theorem. 

5 Conclusion 

In this paper we have described a formalization of decreasing diagrams in the theorem 
prover Isabelle following the original proof from [17 . Our contribution is more than just 
replaying the proofs in Isabelle, e.g., the results of Sections l3.3l[XH and l3.5l are either informal 
or implicit in [T7]. Note that some of our achievements on multisets (especially Lemma[5I^3)) 
are of interest for a larger community. 

In [2] a "point version" of decreasing diagrams is introduced, where objects are labeled 
instead of steps. It is unknown if the point version is equivalent to the standard one. Parts 
of [2] have been formalized in Coq but 29 axioms are assumed, i.e., not proven in the theo- 
rem prover. Furthermore the more useful alternative representation of local decreasingness 
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(Lemma [T51) is not considered in [2] . Hence for these reasons we do not regard [5] as a 
(complete) formalization of decreasing diagrams. 

We anticipate that our contribution paves the way for future work in several directions. 
One possibility is the formalization of confluence results that can be proven with decreasing 
diagrams (e.g. Toyama's theorem [2D])- Another idea would be the certification of confluence 
proofs (based on decreasing diagrams) given by automated confluence provers. Both aims 
will require to lift our formalization of decreasing diagrams from abstract rewriting to term 
rewriting. We stress that the Isabelle Formalization of Rewriting (IsaFoR j30) ) already con- 
tains notions such as critical pairs, which will ease this job. IsaFoR has been developed to 
formalize termination criteria for rewriting and also offers the opportunity to check concrete 
termination proofs given by automated termination tools. A dedicated category is present 
in the international competition of termination toolfH since 2007. Concerning the confluence 
competitionlfl already in its first edition confluence proofs due to Knuth and Bcndix' crite- 
rion [12] and for orthogonal systems [22 could be certified with the help of IsaFoR. These 
two criteria applied to 27 out of 113 confluence proofs and hence our contribution can be 
seen as a first step to drastically increase the number of certified confluence proofs. 

Finally we remark that we will formalize alternative proofs of decreasing diagrams. While 
the conversion version of decreasing diagrams |19| in theory is equally powerful as the one 
from [T7j , practice has shown a slightly different picture [5] . Since the proof of the conversion 
version of decreasing diagrams follows the structure of Lemma [2^1 we anticipate that our 
formalization forms a good basis for this challenge. 
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